Fixed it - I needed to include a leftsubnet entry in the peer ipsec.conf to match rightsubnet in the host. With hindsight, of course this would be necessary as the stack needs to know what subnet to route over the VPN...